HackTheBox - Jail

what's going on YouTube this is IPSec and when we do it in jail from hack the box this box is pretty tough because it involves piecing together a lot of small exploits to get a user shell once you get a user shell then you have to escape the SELinux jail and then the professed route is pretty straightforward the exploits you got chained together you got NFS listening version 3 that allows user ID spoofing the web server exposing source code to a C application you have to buffer overflow there's an IP tables that prevents reverse shells so you have to suck it reuse and even after all that you get a shell on the system and you have to use selinux bypass to get to a regular user and the probe ask is just I think abusing vim and a roar file it's been a while since I've done this box so let's jump in for this box question to do two different and maps so the first end map is gonna be in all ports so and map - P - to scan all ports - Oh a give it a filename and we'll call it all ports the IP address of Jo follows that with 1010 10:34 if you want to speed it up you can do t 45 to speed up the scan looking at the results of that we see it has a few ports open so with their sports we're going to do a second nmap scan and just enumerate the version and run safe scripts so and map - SC - sv that is safe scripts a numerate version - Oh a we'll call this one basic - scripts and - P to specify the ports 2281 11 2014 eine 7411 and 2048 after that we can put the IP address which is 1010 1034 looking at the results of that we have nothing really interesting for ssh the web on port 80 is very interesting because it's telling us apache 2 4 6 CentOS just like iis on Windows this tells us essentially what flavor it is by is version guess like 20 2003 2008 2012 2016 with this we can guess centers 5 6 7 etc so to do that let's go over to Google and just search Apache HTTP D 2 4 6 and I'm gonna put rel or AGL CentOS is just essentially a fork off rel for free rel is the paid version so naturally it has better documentation and the reason I do hg BD is because that's another name for Apache let's check out the first two links just in case the first one doesn't have what we want scroll down let's search for 2 4 6 and this doesn't look like it's the blog post we want switch this one and we have it here so Apache HTTP server is included with currently supported products rel 5 is 2 to 3 rel 6 is 2 to 1 5 and rel 7 is 2 for 6 so we can guess that a target box jail is going to be version CentOS 7 next thing we have NFS and we see NFS version 3 so we can spoof user IDs there that is definitely key and we'll get into that a little bit 7 for 1111 7 for 11 we don't know what port this is and 2048 or that's 20,000 48 my bad is probably related to NFS as well we see it mount D so going out of the end map let's just check out the web server on port 80 so let's go to 10 10 10 35 34 and we see just jail nothing really interesting there looking at the page source just tags so again nothing interesting may wanted to do like robots.txt and not found so don't really get anything so let's open up go Buster and do a bust this page so go down one directory and let's look at the options for go Buster because I don't remember they'll all off top my head we have - w-4 where lists and we'll specify user share worthless dirt Buster directory list lowercase medium and then - you for the URL so - you HTTP colon slash slash 1010 1034 - Oh for output file we will call this door buster log and - t4 threads will specify 25 threads with this run and almost immediately we get a jail at user directory so let's see what that is it's got a dev directory so going in here we see three files compiled on SH our binary and Jo dot C so my guess is compiled as SH is how we compile Jo not C which makes jail and jail is probably listening on port 7411 and that's the port we didn't know from nmap looking at these results we see let's see first thing interesting I see is STR a copy this is going to be buffer overflow ball most likely we have a user pass here that is 16 byte buffer and password down here is 256 so a stir copy will copying password which is a 256 byte buffer - user pass which is only 16 bytes and that is where the buffer overflow occurs we have a hard-coded username with admin and a hard-coded password with 1974 jailbreak scroll down right here is probably where user input is taken and they're using STR and compare so this one is not buffer of Louisville but if the token starts with user space then sto n copy again not buffer overflow bowl copy what's after user space - the username same thing here if input begins with pass space copy V what's after pass into the password variable then if it begins with debug let's enable debug mode so upon successful authentication give two different things we can do we can open doors or closed doors and we can look almost nothing happens other than just printing out the cell can ignore that once we logged in there's no good functions just looking at that source scrolling down we have looks like socket stuff so we're going to probably listen on the port like we thought earlier it's gonna be 74 11 down here that's where it shows it and that's it for the source code so let's see what debug actually did so there was a variable debug mode let's see what that mode does if debug mode want equals one print out the user pass buffer and the user pass buffer let's see well this is getting assigned it's just going to be that buffer overflow bowl thing and the input of password so I don't know what the benefit of changing the password variable to be user passes but that's all that's happening so create a new thing and download all the files so make the HTTP and then do a double you get - are for recursive HTTP 10 10 10 34 slash dev jail user slash dev download all the files and then go in to copy the ones we want out so move compile jail and jail dot C and let's look at compiled on Sh we have it doing - M 32 so this can be a 32-bit binary and - Z exact stack that's gonna make the stack executable essentially disabling depth so the next thing I would do is probably set up a center 7 box so we can do everything on that you could probably do this on your Kalibak soar whatever OS you're doing because the binary is rather simple but whenever doing any buffer overflow stuff I always try to mimic the target as close as I can so I have a center's box set up called CentOS 7 and let us copy files to it so CD HTTP over here let's make the directory called jail and SCP everything over to CentOS 7 jail do ALS go into jail and then let's remove the jail binary because we don't care about that we're gonna create a new one and go into compile that Sh get rid of those because we don't need them I'm gonna add one flag - ji gdb this is going to add a bunch of [Music] debug information to the binary that helps us debug it so when we run compiler on Sh we get a jail binary and if we do gdb on jail we have list which gives us the source code of the binary and we can actually just set a breakpoint on the line of C code so we don't have to go and analyze all the assembly to set breakpoints it becomes very handy doing these type of things so to begin the debug process going to create a new window SH the Center server and execute the program the reason I'm doing this and not just using gdb to start it is I don't like using gdb to start programs I rather just attach to them because gdb does a bunch of things to the environment prior to starting it like disable ASLR and things like that which can have negative impacts so I normally start the binary and then attach the PID so psdf grep on jail it is PID two six six zero six so we can do gdb - - bid two six six zero six the first thing I'm going to look at is the follow fork mode option and gdb so this is going to be how GB handles when a process Forks and it's going to fold that into the child process that's good the next thing we want to look at is what it does to the parent process so I'm going to do show detach on forked and we see it's going to detach from the parent whenever it goes into the child we don't want that we're going to set that to off so now we can test everything if we continue a run by doing an NC 1010 or not 1010 the IP address of our Linux box which is 192 168 101 142 and the port is 74 11 we see the new process gdb went into that if we do user admin pass something we get authentication failure and then gdb doesn't go back to the parent automatically so we can do info inferior and we see the parent process of one so if we do inferior one we're back into the parent so if we go back to that port 7411 let's start off by saying debug then use your psycho type user admin pass give it a pass and we see the user pass buffer at zero x FF FF c/e 70 and I actually think gdb took over the memory address so let's exit here go back be killed - 9 jail ok PS - EF crap on jail gdb - - pit - 6 6 1 9 detach on fork off C so I think what I made the mistake of doing is I typed R which killed the parent process and restarted it so if I do NC 192 168 1 o1 140 to debug user admin pass give it junk there we go 0xff eb b 8 9 0 so now we're no longer in gdb land we're just debugging the native process so we can't use our ever we always have to continue and we do inferior one to jump back to the parent pit continue again and we're good so the first thing we want to do is start our exploit skeleton oh actually before we do that let's see how many characters it takes to overflow the buffer so NC again let us send a new pain what was it use admin yeah we can actually do one thing before that so let's background background this look at the source code and let's set a breakpoint right after the buffer overflow so on line 22 okay now I can continue pass let's send it 48 so Python - see friend a times 40 and since the user passed buffer is only 16 bytes this should crash the program so sending 20 a's we get breakpoint one hit and we can do x / 10s to examine a space and we can examine the password variable and we see right at that memory address that a is repeated 40 times if we want we can look at hex so 50 X at that address and we'll do 16 bytes before that address so before that address we see random stuff then we see 40 a's so we know at the address it's leaking that it's exactly what we put of the password so we've put show code there and set a IP to that address we could execute the shell code and get code execution so let's see we got to go configure one to jump back to the parent and we want to let's see let's great the skeleton exploit so let's copy a bunch of text now be handy eventually and create a directory called buff I guess and we'll create exploit PI so we're going to use pen tools the very first thing then would be from pone import store then we got to set the basic stuff so set basic junk context OS equals when X arc equals I 386 then host port equals 192 168 101 142 the port is equal to 74 11 then the memory address leaked is going to be a 32-bit memory address like that and before we need junk to get to see IP overwrite we'd actually don't know that yet memory address leaked and then after that we need shellcode to execute and we don't know that yet either so the very first thing we have to do is connect pen tools to the host and we do that by P equals remote host port and then once we connect we are going to do P dot receive until okay ready send user command and then we're going to send the line debug and we want to send line user and send the pass okay then P dot receive until ok debug mode on and then P dot receive until there pass and then + where is it John ma'am so what that's going to do is simplify man expect session to wait until we get the banner of the program which is okay ready once we see that we're going to send debug then we're going to wait until we see the program tell us debug mode is on we're going to start logging in with user admin then receive until it asks for the password and send the password plus all our junk so the junk we're going to get that by going back into gdb its fourth background that pattern and it's create and we'll give it 50 bytes if we copy this put this in junk save this and then execute our script we have a breakpoint right away if we examine that memory address we did last time we see the buffers changed to be the think cyclic redundant pattern or whatever pattern that gdb created let's continue this and we get a crash we have e IP crashing when a is a semicolon a a we do pattern offset value and you could use the MSF tools to generate all this I just find it quicker to do it with in gdb PETA since I don't have to switch programs so we have the offset at 28 so after 28 bytes we control a IP so inferior one let's jump back to the parent go to exploit and after 28 things we get an overwrite and I'm gonna put the junk as backslash x CC which is going to tell gdb if you ever hit this and execute this opcode break and yeah the reason I do that is I never should jump into junk and if I jump into junk something bad happened and I want the program to break instead of crashing because it's just more graceful and I can debug better so we have the jump the memory address and we need shellcode to execute so let's Google shellcode Linux reverse TCP X 32 X 64 or not X 64 crap X 32 yeah then we want to copy the shellcode then I want to copy this URL reverse shell x32 and we have to make a few modifications so the first modification is we don't want I P 127 1 1 1 and we see it's broken up a hex byte for each octet 7f is 127 a decimal 1 and X is 1 a decimal etc so we want this to be 192 which is C 0 I believe 168 is a 8 101 is 65 I believe and the last octet is going to be my IP which i think is 143 it is 143 and 143 would be 8f I think let's see 0x a decimal 143 yep so we got that correct then the port 5 5 5 5 4 5 is good and we should be able to run this so let's up a netcat session to listen on port quint 5 and execute this and see what happens we get the break point where we set it continue and then we hit stop reason sig trap so we landed in the seeds so we landed at a junk and I don't know why we live in than junk FIRREA 1 let's go back to the parent and if we hadn't done that we can show you what would have happened so if you just did like a z' like most people for junk is actually increment VIX and hex so it's not going to be obvious we hit junk so we just crash EBP let's see EW is this address yeah it's not exactly obvious that we landed in junk since it doesn't break automatically it landed in the junk did increment EAX forty times or twenty-eight times and then crashed so having that as sees just saves you time and the reason why we landed in junk is because the memory address is pointed right here we have to add twenty eight bytes to that then we're at memory and if we add another four bytes we're at the buffer so if we do this address plus thirty to see inferior one continue breakpoint and we get a shell awesome so now we just have to change this exploit to go and go against the actual server and it's not going to work but we're gonna do it anyways and then figure out what the issue is and fix our shell code to do something else besides reverse shell because the reason it doesn't work is there's a firewall blocking us so we can use a socket reuse but we'll cross that bridge in just a few minutes let's put this shell code two against the server and verify that we don't get a shell back when we go against server all we have to do is change the IP address so we look at our tun 0 address which is the VPN it's 10 10 14 12 so let's go into the exploit script and change the IP so that IP was not 127 101 the documentation purposes that was 192 168 101 143 and this IP is going to be 1010 1412 those numbers are much easier to work with and hex so 10 is a so 0a 0a 14 is going to be 0 e + 12 is 0 C so when we run this oh we forgot one thing the actual IP address of the server so host port and that's going to change and this is going to be jails IP which is 1010 1034 so separate listener to be 5 5 s and run the exploit open and we don't get a shell so that's a problem we can't really see exactly what happened and I noticed I missed one small thing I thought it was a lot less changes than it actually was but one small detail that we need to do connect to it do debug user and then paths under some junk and copy the password buffer so that it's fffff oh well won't think too much of that I thought it wouldn't be that let's see paste and let us put the new memory address oops we can call this lab and this will be H TB so we're still listening run the exploit and we don't get a shell so now we have to kind of think what we can remove to take out any unknown variables and we can remove the entire creating a connection because we can reuse the same socket we have doing the netcat so right when we hit this buffer overflow so if we did user admin pass and we did the buffer overflow here and we gave it the correct magical address instead of just crashing we could have it jump to a shell and send that shell over STD I stand it out and it's standard in and that's a lot easier done actually than said so we just go back to Google and we can Google socket reuse x32 probably brush it on shell code shell code and go here take the shell code out of here which is much smaller than the reverse shell because we're not dealing with the TCP stack at all and make this bigger socket reuse x32 paste and add a few things don't know why copy the blank line there but I did clean that up coming out this one and we just need to add a P dot interactive at the bottom so that's just gonna tell pen tools to drop to an interactive mode don't wait for anything just give us a show like we were connected to netcat so it drops out of expect and let's try that python exploit switch an interactive mode and if we do LS we have a shell and do ID we are running as nobody and our context is here which we're not really used to saying this is a SELinux thing I forget the terminology I want to say it's called labels but I would definitely google it I'm not a SELinux expert but I do remember reading about a SELinux bypass on net set a few months ago or maybe a year ago so if we just do site reddit calm slash a nutsack and do selinux escape brings us right to the CVE and going these comments they probably explain it better than I ever could too long didn't read stuffing the terminal input buffer with commands to be handled by the process that runs after the sandbox finishes it's essentially the most interesting command injection I have ever seen says the user deleted so it's such a good comment and deleted his account or whatever but let's follow that link to get the actual exploit and going back to a shell let's just let's see if we do that let's clean up this we don't need this session anymore not let me kill that so just create a new window and let's test out the NFS stuff and when I was doing this box the first time I immediately jumped to NFS as soon as I had a shell and the reason for that is I knew NFS was open and I knew it was version 3 and version 3 you can spoof that user ID so it isn't uncommon to come across a system where you can mount something as NFS version 3 create a set UID binary as root chmod it with that set UID permission and then execute it for easy proof ask so that is why it jumped to NFS immediately and while we can begin looking at it now so let's go back in the end map scripts and we see from the basic and map just shows NFS version 3 so what we're going to do is run a command called show mount and then - - help we want to use the - a flag or - - exports on 1010 1034 that will tell us that it has opt mountain and VAR NFS a mounted if you see DNS names or IPs here those are the ACLs on what can mount the share all of NFS is based upon the IP address of DNS name and terms of permissions NFS version 4 does have things like Kerberos for authentication so you actually have user based ACLs but version 3 there's no ACLs what they're so ever that's all client-side the other command you could run is like a show mount - a to see the all the mount points on a share sometimes this command won't work and things will still be mounted but the reason this is beneficial is if there was a home directory mounted on NFS it may be possible to drop an SSH key view the mount points and start SS aging to servers if they have the home directory mounted as an affair which does happen so first step is let's actually mount these shares so I'm going to do make derp slash mount jail and in the squiggly brackets I'm going to put opt and NFS share and that's just going to make two directories we don't have a parent directory created amount so I'm going to add that - PFLAG to create that automatically and if we do LS less mount jail now we have two flags so if I do mount - t NFS - oh verse equals three that's gonna say specify version 3 on the NFS mount and we're gonna say 1010 1034 /opt goes to slash mount jail opt we're going to do the same exact thing for NFS share and this one is going to be mounted for NFS share there are tools out there like NFS shell and NFS buy to do all this for you and automatically spoof user IDs but I have had plenty of times when I use NFS buy and it accidentally deleted the file instead of writing to the file which can cause issues so I like using just stock binaries whenever possible not having to go a hack around way to do something that I can easily do without a program just experience less weird issues that way so if we go into those if we go CD / mount jail and do fine - type F to see if there's any files we have access to and we get permission denied Zen everywhere so we can't access any files if we go into LS - la we can see route owns NFS share and route route owns up and if we look we have a group ID of 1000 is the group owner of this an affair and it has write access to it and can't read but it can write so it's saying 1000 means our Linux system doesn't have that UID so I'm just going to change a user to be that UID I got the effusion Etsy passwd I'm just gonna change that to be 1000 1000 and we're going to go into groups and change my permission to be 1000 so now when I do it LS - la my box is telling me that it has access to write in an efficient road users of the group it so if I do su - yep - switch my user I can go CD mount jail NFS share and we can touch a file so touch file write test creates that file we could go to the shell and do a file on ver and a fast share for short memory span file right and we see the file does exist we could also cat the Etsy exports and see what permissions are set on this so because root squash is enabled that means we can't spoof the root user whenever we remotely access something as the root ID it maps it to I believe nobody so that's what it squashed us the no all squash says all non-root users don't squash the permission so that is why we can now take ownership of this foul right test file so if we do a LS dash away on it we can see readwrite earner and then read read other things so changing here we do chmod for 755 on file write test do that LS la again and we see we now have readwrite and a special permission which is a set UID so that has been done my next step would be to go back to this pane and we'll create a file called IDC and I don't actually don't like that if - ID dot see and the contents of that is going to be simple it's gonna be int main void and then set UID 1000 set GID 1000 system ID and when writing C code never ever not use a full path there I think it's the lazy video I go into why always use absolute paths if you're actually writing secure code because you could just hijack that path so that file should be written for good measure we'll see if this server has GCC it does we could compile in our to cally box but might as well compile it on the server if it has it so ver NFS share what was it tip - ID dot C - over and a fair share yep ID and no file cat it - ID dot C it exists oh I'm guessing cuz we have nobody and we can't write there so what we're going to do is just compile it on Kali box and hope for the best if not then we can compile on a centrist box and copy it over but it's not doing anything special so I imagine this is going to work those are just warnings and that is fine so chmod for 755 on it - ID and go over here and execute it so ver NFS share tip - ID and it doesn't do anything so if we look at that ver NFS share F - ID we can see it should work the last thing we check is do we have access to the mounts command or amount we do let's do mount and grep for no suet set UID and we can see this won't work proc one twerk dev system dev run these are all just directories where set u IDs are prohibited we don't see VAR or NFS share there so it should work but selinux is preventing us so let's go back to this exploit and see if this works so we'll do se bypass - ID dot see I hate clipboard sometimes set paste there we go and then we can do GCC se bypass - ID dot c - el SE bypass - ID and we'll chmod it - 4 7 5 5 SC bypass - ID did I typo something I think I did let's just copy this function warning Oh era I guess I miss copied a fighting copy the whole thing and missed the libraries yeah so we need copy these reading is a very valuable skill to have where's the GCC there we go just copy this there we go that worked much better and then we can chmod that to give it to set UID permission and go over to our Linux box and do se bypass - ID and we see the output changed slightly we know that EU ID as franc which is effective user ID so we have escaped this jitter SELinux sandbox and we're now frank again if we just ran it ID we don't have that effective user ID so the next thing is to change that and we're going to make this let's see bin copy and the reason why I was using ID to prove my user instead of like a shell and just hoping is because I have no idea how my tty is set up doing this interactive thing and didn't want to do the Python import TTY stuff so ID was a simple way where I want to deal with that it's always best to make things as less I guess less complicated as possible so then a CP a file and the magic follow we can see P is a SSH key that we will have to create after we type this so we'll create a key and let's see ver NFS share slash dot dot key and we're going to copy that to /home Frank ssh authorized keys and is that a period not a comma i think that was okay that looks good to me let's generate a key so ssh-keygen directory we want to save the key we'll do root documents h-2b boxes jail Frank dot Frank - key that looks fine we don't need a passphrase and the key has been generated so let's cat Frank - key dot pub copy this go over to our server and what was it yep - key is what we called it look at this SC bypass file again that was sloppy not giving it a different name it is da tip dot key and I called it it key so we'll change the - key to be dot dot key okay again run GCC again to compile this and we'll say call this drop key wrong pain over NFS thing if we got this chmod it okay as cute the file and now we should be able to SSH with that private key so SH - I Frank - key and we'll do Frank at ten ten ten thirty four and we get in right away so now we have a shell on the server as Frank because the next step in prevents is something I will generally do before even running scripts and this video is getting long I'm gonna skip running Lennie numb inland protect if you want to see those scripts look at another video but the first thing I do when I get a user account is sudo - L we see that Frank may run sudo as the Frank use it a read opt log reader loggers Sh seems like a red herring why would Frank want to switch to the Frank user to execute a script we can look at that script anyways and see what it does and doesn't look vulnerable at all it's doing a cat against a log file and cat is an absolute path so I don't think I can do anything there we could check its permissions I can't even write to the file so I would ignore that right away we can switch to the ADM user and execute our vim and edit the jail file so let's check that out so we'll do sudo - you a DM and then the command were allowed to run and instead of changing anything right away we notice we're in a VI session and with VI we should be able just do : python and breakout so if we do import PT y PT why not spawn been bash we get a shell and enter a few times clear that and we do ID we see we're now a DM so we just used VI to execute a command you can do a lot of the similar things and like less I believe in what not be careful who you give sudo access to in general I think you're supposed to use like sudo edit or something that may fix it can't remember off the top my head but just unintended effects of getting sudo to or the sudo ability with VI but now that word the ADM user I'm gonna look at the home directory of ADM to see what I have access to and we'll do find - type F and we see there is a dot key directly with no text dot local dot Frank and dot keys and keys drawer so this file is actually encrypted if we wanted to verify that we could do like unrar X to extract and paste that file and we get a password so if we cat this note text to see what this reveals Frank for the last time your password for anything encrypted must be a last name followed by four digits and a symbol so we could start brute-forcing from here put a bunch of last names and create that word list but let's see what this dot local dot Frank is so if we cat that we see something that's definitely obfuscated I don't think it's encrypted because SC SC SC doesn't seem like much entropy it screams like rot13 or something that the same operation is being done on every character just based upon the repeat that looks to me like hahahaha the reason why it's not run thirteen right off the bat is Z to a is just one character difference not thirteen so we can just send this to rum can cipher so a good tool that has a bunch of online ciphers and if we go to rot13 it's nothing rot an encoder and we can just go through all the rotations see if we see anything we got ahaha and then junk so that's not it keep going down hoho nothing and going through all the transitions we don't see anything so when I start think about other tools to run or I would just go to like I think it's quit quick I think that's the right spelling and then we'll use this site to solve it which essentially just bauble stores everything I believe and it gets it pretty quickly if you want to do it you think what could Z be to turn it into a and I would just think like an at Bosch cipher which essentially inverses every character Z goes to a I can't think that alphabet backwards but B goes into y that's it and we paste that in the cipher and we get it there so that was at bash ha ha nobody will guess my new password only a few lucky souls have escaped Alcatraz alive like I did so we can just Google Alcatraz escape go to here and see it lists a few people we have Frank Lee Morris John William England and Clarence Anglin escaping Alcatraz sensor user names is Frank I'm gonna guess it is going to be Frank Morris as the person that has escaped Alcatraz so first thing I'm going to do is read this note again we're going to guess that the password is going to be Morris four digits and a symbol so let's copy the RAR file to a server the easiest way to do this is just base 64 the file we could use SCP since we have the key but I find this relatively easy to do on small things so copy that open a new terminal will call this Keys dot Rho dot be 64 paste base64 dash D on that file to be just key so our md5 sum that's the wrong window md5 someone Keys da fe1 and ends with 8 6 f e 1 and ends with 8 6 so we got the file there we're going to use a tool called John to raw I thought I had it where maybe writer John on that directory and we get something that is friendly with John the Ripper to crack one key thing is this isn't actually implemented in a hash cat yet I checked and how I did that was I went to Google hash cat example hashes gets us to the page and I Google what I think is a unique identifier is rar 3 and that gives us the sample output that would be we have Roy 3-0 then just very few parameters if we look at this hash it's 1 and then a lot so the next thing I did was I think I just googled this with hash cat and look at the feature request and we see its Help Wanted new algorithm and talk about implementing this so this portion isn't actually in hash cat but we can use John the Ripper to crack it so let's go to my cracking server and I'm still going to use hash cat to generate the word list just because I'm familiar with hash cat rules and not John rules so we want to create a targeted word list with Morris four digits and assemble so I'm gonna go into the hash cat directory execute hash cat - - help and go to the bottom we're gonna want to use the brute-force attack mode so - a 3 and we can see how to use it we have question mark a question mark a question mark a what that means is go up to these character sets and question mark a is going to brute for all lowercase letters uppercase letters digits and symbols we don't want that in it we just want to do four digits and a symbol so if we do dot slash hash cat - - SD STD out that's just going to output stuff to stand it out we don't actually have to crack a hash with it this is relatively new it was always in the hash cat 4 CPUs wasn't an ocl hash cat in version 3.0 they merged those two branches and - has STD out became available for everything and it's been amazing to create word lists so it was Morris and for times sake I'm going to put the 19 in because I know the first two digits 1 9 then we'll do two digits and a symbol I'm going to direct that to a file / root / John dot what do jail dot woods and I think that's it and while that copies I want to grab that wrote a John output I don't think I copied it to a file and will do V root jail dot hash camp and file for writing what I'm root Oh wrong path it's been a long video Jo - there we go so if we cat jo woods we have Morris 19 two digits and a symbol I really hope it's 19 not 18 but we'll find out I guess go into the John the Ripper folder I think of the binary under run 11 under opt is that the most recent one I can't remember what is the more recent copy of John Ellis - away John Ellis - away John John July 16th versus November 14th November's more recent so I think I'm in the correct directory would help if I was a bit more organized so John - - word list equals root slash John jail dot words and we want to crack jailed on hash / root jailed on hash and open Cpl loaded one I think it was in my pot flour to begin with - I have a pot file here and the John got pot - John old and we'll try cracking that again I could have just done - - show but what happens is when you crack something successfully it puts it into a file so it doesn't crack it again so this should crack relatively quick with that yep so we got it Morris 19 162 so if I ran that again it would instantly finish and if I wanted to I could do - - show maybe we have to get rid of that word list option yeah and it would show it that way so we have that password Louis 1962 so if we do under our X on that archive paste the password it extracts root authorized SSH key pub and I'm not going to go into all the RSA specifics I think this was done on the brain-fuck video if you want to watch that and get into more how RSA works but we're just gonna use a tool called opt or say CTF tool and that does a lot of common attacks against OSA do - - hope I think it will help put the options I think I needed public key and private option let's see yep so I'm going to tell it we have a public key and the public key is route authorized SH key pub and we'll do - - private and we can do - - verbose to see what it does riposte isn't needed but I just like throwing it and we see it's doing the Weiner attack and see if it gets it I hope it gets it pretty sure this is how I did it the last time yep there we go begin private key will copy this to a file so we do root - key paste chmod 610 1010 34 jails IP and we get in as root so that is the jail box I hope you guys enjoyed the video and um yeah take care actually I lied we're gonna add a little bit of a special bonus to the end of this after I recorded the videos I was talking to no decaf and someone actually found a really cool unintentional way to profess to the ATM user using NFS so we're gonna show that method off because it definitely changed my understanding of how the set UID bits work in Linux so yeah let's jump back in so to get to a spot we can easily continue working on it we need to SSH into the jail server as franc which is the unprivileged user and we need to verify we store the NFS server mounted so we can do a mount grant for NFS and we see it is indeed mounted let's switch over to tip which is UID 1000 that is the user franked owner NFS server if we go into ver NFS share mount and F jail and a fair share on the server if we go into over do it LS dash L a grab for NFS we can see only the Frank user can write to this box of course root can but on this directory only Frank should be able to write to it and because ADM or other users couldn't write to it we couldn't escalate to their user however if we create a directory let's say hip sack and chmod that to all sevens now any user can write to this directory and we can verify this by switching over to a root user who again cannot write to NFS by default because there is the root squash on that Etsy export so the root user is mapped to a nobody user so we can verify that in this NFS share can't write but if we go into the IPSec directory that we just created and chmod it to all sevens we can write there and going into NFS share if set we can see NFS nobody has created a file so what we have to do is now cat the Etsy passwd for the ADM user which is going to be UID 3 and 4 go to Etsy passwd on our box and change it to be 3 & 4 let's go into group and see what for is on group it is a DM as well so we can switch to hip again go to mount Jail NFS share hips ik touch test I guess three maybe where is it - I lost count but test three is now owned by a DM a DM so we have now created files as the a DM user on that Ana fasciae the next thing we have to do is create a set UID program and this is going to be a little bit different than all the previous set UID programs I've done the past because I completely misunderstood set UID so we'll go over that right after I've managed to type this out hopefully I don't make typos and have to debug this and this program actually came from no decaf I'm not taking credit for writing this because again I completely misunderstood set UID okay so that should do it the main difference with this program is we are using a exec call instead of system and the reason we're doing that is because system drops effective user IDs from programs and effective user ID is how set UID works if you just have a file owned by root you can just do a set UID and it changes the owner to root if the file is owned by someone else and you'll want to take advantage of a sent UID bit it sets the effective user ID which system drops exec does not so that is the key also kudos whoever found this unintentional Prive esque method it is definitely a hidden gem that I learned a lot from and I got the misconception about set UID because in my defense reading this set UID set submission of the executives owner group and yeah it's just where my misunderstanding came from didn't read exactly how everything worked underneath so maybe you guys learned something there too but let's show exactly how it works so GCC set UID dot C we'll call this su ID create the file chmod six seven five five on the binary and this first bit when we have four this is the special permissions bit one is sticky bit two is set GID and four is set UID so we add both set u ID and set G ID we get six so that is how why this is six then read write execute read execute read execute so if we go back here and do an LS dash L a we see the set UID binary is owned by ADM ADM and we have the special bits set so if we do dot slash su ID and ID we get an effective user ID as a DM and effective GID as a DM so now we can do su ID find / VAR ADM and we have access to destructor E and again our user doesn't have access director if we just LS or something we get permission denied so that's pretty cool another neat trick with this set UID program is I think when I was doing the selinux portion when I do that exec call I can't use like pipes or directs and the actual binary because that breaks it hard to explain why I don't really fully understand but there is a neat trick so if we do like echo test and we put the pipe to the set UID and call the program T which is going to take whatever is in stand it out and direct it to a file we can actually write files without making the set UID on the other side of a pipe so we'll make the file EPS sec and we'll put no decaf rocks and I keep calling it set UID actually types at UID it's just su ID so if we look in slash temp now we have that file if SEC and it is owned by ADM so as Frank we were able to use the exact call with an su ID to write a file which is awesome and we can now cat town if SEC and we get no decaf rocks so what this would have allowed us to do is be less destructive in the previous test when we just copied the key because when I copied my SSH key into authorized keys it clobbered authorized keys and only wrote my key if we had done it this way we could probably do like T and I think it's - a to append I could tell you yeah - a to append so if we just do T - a and we cat temp if SEC we now append to the line so going back I would have echoed my public key as Frank and did a T - a to append the SSH key to the authorized key file so I didn't clobber it if it was there because again deleting files is always bad and you may be wondering why wouldn't just copy a SSH key as the ADM user I kind of glossed over that if on the server we can't at the passwd and grep for ADM we see his shell is s been no login so even if we could write the SSH key we don't have a shell to login as so I hope that was and beneficial and take care guys this time I am gone for real well until next week bye